Security and privacy FAQ

What is WHOIS privacy and do I need it?

WHOIS is a public directory of domain registration data — owner name, address, email. Privacy replaces those fields with a forwarding service so spammers can’t harvest them.

You probably want it on for personal .com / .net / .org domains. You can’t have it on .au — registry policy mandates public WHOIS for all .au TLDs.

Are my registration details public?

For TLDs that allow privacy, with privacy on: only your name and a forwarding address show up. Full record stays with us and the registry.

For TLDs without privacy (.au family, .de, .fr, others), full registrant data is public. EU GDPR led most registries to redact personal data in WHOIS responses by default for individuals; commercial registrants stay public.

How do you store API keys?

We store the prefix (dg_live_2k8n4j7s9...’s first 12 chars) and an Argon2id hash of the rest. The full key never lives on our servers after we hand it back to you in the create response.

What if I leak a key?

Revoke it at /dashboard/api-keys. The deletion is immediate.

We also scan public GitHub commits for dg_live_ patterns. Matches are auto-revoked and you get an email. Don’t rely on us catching everything — review your secrets hygiene.

Do you support MFA?

Yes — TOTP (any RFC 6238 authenticator app) and WebAuthn / passkeys. Add at /dashboard/security. For org owners we recommend WebAuthn — phishing-resistant, fast, no shared secret.

Can someone steal my domain by guessing my password?

A password alone won’t move a domain. State-changing operations from a logged-in session require:

• Recent re-auth (sensitive ops re-prompt for password or MFA).
• A confirmation step for transfers and contact changes (email link).
• An audit log entry visible to other org owners.

A stolen API key with domains:write could push a domain to another org you also own, but couldn’t transfer it to a different registrar without the EPP code, which is only revealed in a domains:write GET /domain response — i.e. someone with the key still has it. Rotate keys regularly.

What’s the registry-lock?

A premium feature for high-value domains: the registry refuses to accept any change requests until you authenticate out-of-band (a phone call, a multi-party email confirmation). Locks transfers and DNS changes, not just transfers.

We support registry-lock for select TLDs (.com, .net, .org, .com.au). Email support@domaingenius.com.au to enable on a domain — we set up the out-of-band protocol once, then any sensitive op needs the lock-bypass step.

Where is data stored?

Australia (primary) and Singapore (read replicas). DNS data lives on Cloudflare’s global edge. We’re not subject to US CLOUD Act demands.

Are you SOC 2 / ISO 27001 certified?

ISO 27001 audit in progress (target Q4 2026). SOC 2 Type II planned for early 2027. We can share our security questionnaire, vendor risk doc, and DPIA on request.

How do you handle data deletion requests?

Per Australian Privacy Principles and GDPR Article 17. Submit at privacy@domaingenius.com.au — we delete personal data within 30 days, retaining only what we’re required to keep (transaction records under tax law, audit logs under registrar accreditation).

Can I get a copy of my data?

Yes — request via privacy@domaingenius.com.au. Within 30 days you get a JSON export of every record we hold under your user_id, plus a CSV of audit log events. Free, once per year; nominal fee for additional pulls.